Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove special Firefox instructions in >=.NET 6 sections #33472

Closed
wants to merge 3 commits into from
Closed

Remove special Firefox instructions in >=.NET 6 sections #33472

wants to merge 3 commits into from

Conversation

tdykstra
Copy link
Contributor

@tdykstra tdykstra commented Aug 29, 2024
edited by github-actions bot
Loading

Fixes #33230

Internal previews

📄 File 🔗 Preview link
aspnetcore/security/enforcing-ssl.md Enforce HTTPS in ASP.NET Core

@tdykstra tdykstra marked this pull request as ready for review August 29, 2024 02:43
Rick-Anderson
Rick-Anderson requested changes Sep 5, 2024
View reviewed changes
@amcasey
Copy link
Member

amcasey commented Sep 6, 2024

I think these changes were probably prompted by a comment from me, but I can't recall the context. Would you happen to have a link or something?

amcasey
amcasey requested changes Sep 6, 2024
View reviewed changes
aspnetcore/security/enforcing-ssl.md
@@ -345,36 +301,6 @@ For chromium browsers on Linux:

<a name="trust-ff-linux"></a>

#### Trust the certificate with Firefox on Linux
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why delete, rather than update, this section? It seems like we could just tell people to run certutil as for Chromium.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a note in an unedited part of this document (above) that says certutil is "legacy". I'm not sure why - maybe just the specific version linked?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Above, where it says to run certutil twice, it should probably only be run once - with "P,," for Chromium or "C,," for Firefox.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why delete, rather than update, this section? It seems like we could just tell people to run certutil as for Chromium.

Are the instructions different using certutil on FF different than for Chromium? If not, we'll make sure the Chromium instructions say Chromium and FF.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a note in an unedited part of this document (above) that says certutil is "legacy". I'm not sure why - maybe just the specific version linked?

the legacy comment is only for the the Red Hat Enterprise Linux tab

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the instructions different using certutil on FF different than for Chromium? If not, we'll make sure the Chromium instructions say Chromium and FF.

The two differences are the usage, as noted in my comment, and the location of the database. Otherwise, it should be the same.

@Rick-Anderson
Copy link
Contributor

I think these changes were probably prompted by a comment from me, but I can't recall the context. Would you happen to have a link or something?

#33221

Rick-Anderson
Rick-Anderson requested changes Sep 6, 2024
View reviewed changes
aspnetcore/security/enforcing-ssl.md
@@ -345,36 +301,6 @@ For chromium browsers on Linux:

<a name="trust-ff-linux"></a>

#### Trust the certificate with Firefox on Linux
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why delete, rather than update, this section? It seems like we could just tell people to run certutil as for Chromium.

Are the instructions different using certutil on FF different than for Chromium? If not, we'll make sure the Chromium instructions say Chromium and FF.

aspnetcore/security/enforcing-ssl.md
@@ -345,36 +301,6 @@ For chromium browsers on Linux:

<a name="trust-ff-linux"></a>

#### Trust the certificate with Firefox on Linux
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a note in an unedited part of this document (above) that says certutil is "legacy". I'm not sure why - maybe just the specific version linked?

the legacy comment is only for the the Red Hat Enterprise Linux tab

aspnetcore/security/enforcing-ssl.md
@@ -1003,6 +915,8 @@ For chromium browsers on Linux:

### Trust the certificate with Firefox on Linux

In some instances the Firefox browser uses its own certificate store, and therefore doesn't trust the [IIS Express](/iis/extensions/introduction-to-iis-express/iis-express-overview) or [Kestrel](xref:fundamentals/servers/kestrel) developer certificates and requires the following instructions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@amcasey and @tdykstra I think in the FF section we should add something like the following:

In some instances theses instructions don't work with Firefox on Linux. See [Trust the HTTPS certificate with Firefox](https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio%2Clinux-ubuntu#trust-the-https-certificate-with-firefox-to-prevent-sec_error_inadequate_key_usage-error-1] for alternative instructions. The link goes back to .NET 5 and has all the previous instructions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, the old instructions apply to old version of Firefox, rather than to old versions of .NET. If you're on a new enough .NET that --trust works, no Firefox-specific steps should be required. Otherwise, the instructions should be as for Chromium, but with "C,," and different locations.

Or maybe I've misunderstood your suggestion? I'm not entirely sure where in the document this text occurs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, the old instructions apply to old version of Firefox, rather than to old versions of .NET. If you're on a new enough .NET that --trust works, no Firefox-specific steps should be required. Otherwise, the instructions should be as for Chromium, but with "C,," and different locations.

Or maybe I've misunderstood your suggestion? I'm not entirely sure where in the document this text occurs.

Great, we'll replace that with older versions of FF

amcasey
amcasey reviewed Sep 6, 2024
View reviewed changes
aspnetcore/security/enforcing-ssl.md
@@ -905,6 +815,8 @@ dotnet dev-certs https --help

### Trust the HTTPS certificate with Firefox to prevent SEC_ERROR_INADEQUATE_KEY_USAGE error

In some instances the Firefox browser uses its own certificate store, and therefore doesn't trust the [IIS Express](/iis/extensions/introduction-to-iis-express/iis-express-overview) or [Kestrel](xref:fundamentals/servers/kestrel) developer certificates and requires the following instructions.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to overlap substantially with the following paragraph.

aspnetcore/security/enforcing-ssl.md
@@ -1003,6 +915,8 @@ For chromium browsers on Linux:

### Trust the certificate with Firefox on Linux

In some instances the Firefox browser uses its own certificate store, and therefore doesn't trust the [IIS Express](/iis/extensions/introduction-to-iis-express/iis-express-overview) or [Kestrel](xref:fundamentals/servers/kestrel) developer certificates and requires the following instructions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, the old instructions apply to old version of Firefox, rather than to old versions of .NET. If you're on a new enough .NET that --trust works, no Firefox-specific steps should be required. Otherwise, the instructions should be as for Chromium, but with "C,," and different locations.

Or maybe I've misunderstood your suggestion? I'm not entirely sure where in the document this text occurs.

@tdykstra
Copy link
Contributor Author

tdykstra commented Sep 9, 2024

Addressed by #33221

@tdykstra tdykstra closed this Sep 9, 2024
@tdykstra tdykstra deleted the tdykstra-patch-2 branch November 13, 2024 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rick-Anderson Rick-Anderson Rick-Anderson requested changes

@amcasey amcasey amcasey requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove FF special Trust the HTTPS cert instructions
3 participants
@tdykstra @amcasey @Rick-Anderson